How to protect an Aruba Mobility access switch infrastructure from Layer2 and Layer3 Spoofing attacks ?

Switches in general are susceptible to many Layer 2 and Layer 3 attacks such as ARP spoofing, MAC spoofing, and DHCP Starvation and IP spoofing and so on.

Often these attacks utilize source IP address or MAC address spoofing to conceal the true source of the attack, this can be mitigated by enabling DHCP Snooping along with features like IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI) on the Aruba Mobility access switch.

DHCP snooping :

By enabling DHCP snooping, the system snoops the DHCP messages to view DHCP lease information and build and maintain a database of valid IP address to MAC address bindings called the DHCP snooping database address to support the security features like IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI).

IP Source Guard (IPSG) :

IP spoofing is the creation of IP packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system. When IPSG is enabled on an interface, the Mobility Access Switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping and allows only IP traffic with a source IP address in the IP source binding table.

Dynamic ARP Inspection (DAI) :

Using the information from DHCP snooping or from manually configuring it, a switch can confirm that your traffic includes accurate MAC address information in ARP communications, to protect against an attacker trying to perform Layer 2 spoofing.

DAI considers an ARP packet as invalid in any of the following two cases and DAI will thus drop invalid ARP packets and generate a log message.

Source Mac Address in Ethernet header does not match with Source Mac in Arp header.

There is no corresponding DHCP Snooping binding entry for the particular Source Ip and Mac in the Arp header.

DHCP snooping ,IP Source Guard and Dynamic ARP Inspection (DAI) are new feature included in AOS version 7.3.0.0 Any version below 7.3.0.0 does not have these feature.

Environment: All the sample outputs in this article are from Aruba S2500Mobility Access Switchrunning AOS version 7.3.0.0.

DHCP snooping helps to build the binding database to support the security features like IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI).